Posted
by
CmdrTacoon Monday September 27, 2010 @12:22PM
from the freeing-up-the-cpu dept.

An anonymous reader writes "Given the great potential of general-purpose computing on graphics processors, it is only natural to expect that malware authors will attempt to tap the powerful features of modern GPUs to their benefit. In this paper, the authors demonstrate the feasibility of implementing a malware that can utilize the GPU (PDF) to evade virus scanning applications. Moreover, the authors discuss the potential of more sophisticated attacks, like accessing the screen pixels periodically to harvest private data displayed on the user screen, or to trick the the user by displaying false, benign-looking information when visiting rogue web sites (e.g., overwriting suspicious URLs with benign-looking ones in the browser's address bar)."

Rewriting arbitrary stuff on your screen is possible for any virus without "infesting" the GPU. You own the OS, so you can force the GPU to paint anything you want without running specialized code on it. Actually, simply changing the contents of your screen was all what most old DOS-virii did. The interesting part is the "hiding from detection" part, not the "yet another way to write stuff on the screen" part.

That so? I thought owning a modern OS wouldn't give you the hardware access you had in the ol' days of DOS, not by a long shot. Just freely drawing around the screen doesn't work. Getting your code run by the GPU OTOH..
Maybe I should actually read what this story is about, seems interesting.

Ooooohhh no, you're not thinking evil enough. If you are gonna go to THIS much trouble, you need to go WMD evil, like this:cue twilight zone theme imagine if you will, a poor PC user, slowly being driven out of his mind, because no matter what he clicks, no matter where he goes, all he gets is "The Safety Dance" on an endless loop while a midget moons him onscreen. He tries to play a game? Safety Dance. Watch a video/listen to music? Safety Dance. no matter how many times he reboots he cannot escape the ass

Hey moron mod? How exactly is responding to someone who wants to use the GPU for a Rickroll with a suggestion of using safety dance in its stead flamebait? what are you, a midget bigot or just someone with a hard-on for the 80s? If I had wanted to go flamebait I would have suggested the RMS eats toe cheese [youtube.com] or maybe Linus giving a thumbs up to win 7, dumbass.

And nobody answered my question, will CUDA code work on ANY modern GPU, or just Nvidia? does one need to have CUDA installed for it to work? will it w

I am not a CUDA developer, but I'm pretty sure that yes it only works on nVidia GPUs, but no you don't need to install the CUDA SDK to be able to run CUDA apps, all you need is the hardware. So it would be a pretty big target really.

I know that malware authors would think of doing this eventually, but I still think that giving them ideas like this is Bad. Just look at what happened with Twitter this week - someone releases a harmless proof of concept type attack, and now already the script kiddies are comin

Eh, this is way sneakier, and could be far more effective, since you could modify/hide anything from the user.

It would be pretty difficult to determine which pixels are the URL bar on the GPU though. Unless of course all this GPU acceleration they're putting in browsers now allows you to somehow read the coordinates directly.

Breaking key-based encryption used to be considered hard to do. Bring more horsepower to bear, ie. a GPU, and today's Hard To Do turns into a Proof of Concept and eventually becomes tomorrow's Commonplace.

Ah, but what about the dreaded massively distributed cracking brute force method for attacking something like 128 bit RC5 encryption? There are massive zombie farms of infected computers throughout the world and some may have gotten as big as 1 million infected computers. What if that entire army was unleashed upon the commonly used 128 bit RC5 encryption? Surprisingly, the answer is not much. For the sake of argument, let’s say we unleash 4.3 billion computers for the purpose of distributed cracking. This means that it would be 4.3 billion or 2 to the 32 times faster than a single computer. This means we could simply take 2 to the 128 combinations for 128-bit encryption and divide it by 2 to the 32 which means that 2 to the 96 bits are left. With 96 bits left, it’s still 4.3 billion times stronger than 64 bit encryption. 64 bit encryption happens to be the world record for the biggest RC5 bit key cracked in 2002 which took nearly 5 years to achieve for a massive distributed attack.

Now that we know that the distributed attacks will only shave off a few bits, what about Moore’s law which historically meant that computers roughly doubled in speed every 18 months? That means in 48 years we can shave another 32 bits off the encryption armor which means 5 trillion future computers might get lucky in 5 years to find the key for RC5 128-bit encryption. But with 256-bit AES encryption, that moves the date out another 192 years before computers are predicted to be fast enough to even attempt a massively distributed attack. To give you an idea how big 256 bits is, it’s roughly equal to the number of atoms in the universe!

I'm trying to create a similar plugin, only converting a specific type of text to garbage; the problem is that I don't have time to start from scratch and I can't find anything similar to start with as a base.

Malware writers have been doing something like that for a while now. Mainly to deal with screen keyboards that some lending institutions require. I'm not sure that it's particularly prevalent at this point, but the technology is already there to exploit that.

I used to run a small computer repair and write-to-order software shop for a living while in the Uni with two more people. One of them had that idea around 1994. In those days it was just to store the code in the video RAM pages which are not directly accessible to a scanner and keep a small polymorphic backstrap routine in main memory.

What goes around comes around. Looks like this is using a similar approach. Even if you compute some stuff on the card you still need a bootstrap within the main system to use it and talk back to the "mothership".

I agree that somehow the code has to get into the GPU, which means a bootstrap of some kind from the main CPU. I'm not sure it has to remain in the main memory for any period of time, however, as long as the graphics card has DMA access back into main memory.

I'm not sure how memory protection works on the most modern systems, but at least in the past DMA had wide-open access to everything. So, if the graphics card needed to get back into the CPU for a short time, it could just modify the interrupt descrip

DMA is not a problem. It goes via the GART (and has since the AGP days), so the GPU can only see the bits of memory that it is explicitly shown. A bigger problem is that separate processes may not be isolated from each other on the GPU, so your WebGL program and your window server may be running in the same virtual address space on the GPU. Your WebGL program is then free to read or write any window's contents, as long as it can find the correct virtual address for the buffers.

I used to run a small computer repair and write-to-order software shop for a living while in the Uni with two more people. One of them had that idea around 1994. In those days it was just to store the code in the video RAM pages which are not directly accessible to a scanner and keep a small polymorphic backstrap routine in main memory.

Well thats already an issue - I've seen Malware that makes fake "Blue Screen of Death" with the warning about viruses. You can't Alt+tab or Alt+f4 out of it, CTRL+ALT+Delete does nothing, it acts just like a Blue Screen of Death except for 2 things: Your mouse is still visible and moves, and it'll actually go away if you leave it for 5 minutes - instead of everyones initial reaction to reboot the machine.

I always wondered how it was they managed to bypass all the other functions that I should have had avail

User and role based authentication/authorization is essential to security, but not sufficient. A machine that brings authentication/authorization down to the process level would be more secure.

I'd like a PC that enforced access control on each process running. Every call to any HW, whether CPU, MMU, GPU, or any bus, to require authentication. A crypto ASIC with scores of simultaneous auth units pointing at each process space and the ACL table for auth in just a few extra clock ticks on operations per process, at startup and randomly every dozen or so calls. More frequently when there's a "heightened alert" either by network notification or during and after other security events like DoS attacks and malware discovery.

So I'm guessing you've never used any modern security focused operating system.

We've had everything you've mentioned for years... probably 30 years or more.

The problem is, if you want to get anything done in a reasonable amount of time, you're going to turn all that stuff off. When you hook EVERY syscall things tend to get mighty slow. Go run some software in a profiler and you'll get a rough idea of just how shitty it performs in the real world.

I have. All of which is why I want the machine to have an ASIC that effectively adds an AUTH instruction that takes only a few clock cycles, rather than do this essential operation in software every time, also caching credentials and grants in ASIC RAM or LUT.

I think it would work very well to support rules like "no browser process can access my disk" plus "email processes can access my disk", even if email is running as my user and so are other processes. Think of host firewalls like ZoneAlarm that assign permissions for network access per process per user, but applied to the entire range of HW.

"no browser process can access my disk"You want no caching at all?You want 'save page source' to not be possible?You want it impossible to download anything off the web?You want it to be impossible for external document viewers to view temporary files?You want there to be no persistent cookie storage?You want there to be no persistent storage of any settings that could be changed from within the program?You want there to be no possibility for plugins?

Really, though, you're too dense to understand that such a use case is an arbitrary one that isn't the entire feature. Which is why I mentioned ZoneAlarm for an example. How about "no processes but the ones I've allowed today (before I connected the network) can access my disk or my network, until a dialog box adding them to the ACL is approved"?

Too dense to understand that a rough example that might not be popular but does explain how the feature works doesn't mean the feature is limited to that example. Even though the ZoneAlarm example should satisfy.

Modern GPUs include memory protection, so different processes can be prevented from reading each others' VRAM, just as they can be prevented from running each others' RAM. This is not always used by the drivers, which may just map the entire physical VRAM into the GPU's virtual address space. With properly written drivers, this is much harder.

The big malware potential comes from WebGL. This allows you to run arbitrary GLSL code in the browser's (GPU) address space. Although you probably can't take over the entire display, you can potentially take over the entire browser window without permission. Hopefully, the driver will give you entirely separate GPU address spaces per GL context, but given how incompetent AMD and nVidia's driver teams have demonstrated themselves to be, I doubt it.

That sounds nice in theory, but I know that at least with NVIDIA's computing driver there isn't a whole lot of memory protection going on. My experience has been that its not terribly difficult to crash your entire system with a user level program.

then this gives us hopes for the Gallium 3D driver stack to fix this and implement proper memory protection on hardware supporting it. Well, to bad for Windows users.

and nonetheless, AdBlock+ and NoScript will very probably block GLSL as they does with any other scripting language. So shoddy websites won't be able to assault you with unstopable full window ads. Well, to bad for IE users.

I don't want to plow the horn or wave the flag unless I know it's true. But given the various access levels and things that Linux uses in X.org and all that, I wonder if those same issues are more or less likely in a Linux + X situation?

To my understanding, there is not direct reading or writing to the screen. There is screen capture functionality, but I don't know how it works or if it is simply a standard feature of the X window system (and either way, is THAT a vulnerability to be wary of?).

Oh boy... After reading through the first four paragraphs, I was reminded of Direct/Active-X. Device drivers in userland? I kinda knew about this but I guess I wanted to push it from my mind.

Is it really possible to have an advanced graphics environment with all the performance we desire without the windowing system having direct access to hardware? I suppose it would only be possible with an extremely rich API and high-speed communications interface and a whole lot of other things which would otherwise

With kernel modesetting, it is possible to run an accelerated X without root privileges (MeeGo does this) but currently there are safety caveats [lwn.net]. To support multiple simultaneous users there is a need for a revoke syscall otherwise other users could snoop your input devices by not dropping previous access to devices (you can watch some X devs discussing the issue on Phoronix [phoronix.com]).

No, you're thinking at the wrong level. The problem is that every application that gets an OpenGL context can upload programs to the GPU and run them. Fine in theory, and a modern GPU has the ability to isolate different context's memory from each other, but the drivers don't always use it (and don't always use it correctly when they do). If you're using an nVidia or ATi blob driver, then you have the same code controlling the GPU as a Windows user, so if the vulnerability is on Windows it will also be o

Headline: "Malware Running On Graphics Cards"
TFS/TFA: "Here's a paper showing that malware on graphics cards is theoretically possible and could possibly evade detection."
If you were trying to sensationalize the headline, you might as well have thrown "won't anyone think of the children!?!?" in there as well.

No kidding! This is just as bad as as that rail-gun rocket launcher headline from 2 weeks ago that had nothing to with crazy weapons.

Does anyone find it disturbing that taxpayers' money is used to do the bad guys' work for them? I can understand researching anti-malware strategies, but why are these people given money to come up with bad things to do to my computer?

If you were able to use the GPU to brute-force a password hash or similar authentication token for the system, you could install a rootkit on the card's option ROM.

1.It'd get to run with ring 0 access on each boot before the OS has a chance to do anything.
2. On EFI systems it'd have access to a TCP stack, full FAT and NTFS filesystem access, all included in the EDK [transact.net.au]. So it could update itself on the fly each boot.

Once a virus is running on a system, it can shut down virus scanners, and all that kind of stuff. That is always the case. Doesn't matter where it runs. The key is to keep it from running and that's what virus scanners do. They are the doormen, they stop people who are on the "Bad list" from coming in. Well even if your virus was GPU based, it'd still have to come in and execute on the CPU like normal. There is no way to directly load something in the GPU and run it there. As such the virus scanner would ge

What is special: that you AV would run at CPU speed while the packers/unpackers will run at GPU speed. It would be like trying to catch a bank-robber who drives a Ferrari while riding your push-bike. Granted, you can still control the "roads", but control them too tight and I'll throw away your AV solution because it's making my computer run like on a 386/40 MHz on an everyday basis

Plus this kind of malware might be easier to deal with: Just shut down GPU processing. Unlike the CPU, that is a feasible thing to do. So if a system is infected, the GPU gets turned off, the malware cleaned, the GPU restarted. Graphics cards still work fine when addressed in old "Just a bunch of pixels," mode.

I imagine that a wise AV would use the GPU to actually run the unpacking and analysis/detection code faster.

You are confused in to thinking GPUs are magical "everything acceleration" devices. Please remember if that were the case, we'd just use them as CPUs instead. It isn't the case. GPUs are special kinds of processors, called stream processors. There are only some things they are good at. Other things, they are much slower than CPUs. You also miss that the virus has to execute on the CPU first. There is no way, none, in Windows to directly execute on a GPU. Just not how the system works. You have to have a CPU

You are confused in to thinking GPUs are magical "everything acceleration" devices.

Oh, am I now? That's incorrect, but I wonder what made you think so?

So the virus has to come in, and then launch on the CPU, then it can unpack code to the GPU and execute it. The CPU process will still have to keep running the whole time, because that is how the system schedules resource time.

With the minor correction that the CPU may be scheduled to other processes/threads (until the GPU finished and releases the lock on the memory), you are correct.

Again I fail to see what any of this gains. A virus scanner doesn't even need to look at the GPU to deal with this.

I never said the AV scanner would need to look at the GPU (only that would be advisable the AV scanner to use the GPU by itself).

I assert that the AV scanner cannot take any decision based solely on the behavior of "programs asks the GPU to do something then start executing from me

None of the described future attacks are feasible. Shared framebuffer is not accessible to applications directly for security reasons (authors think that this is "unfortunate"); direct access to framebuffer is not "inevitable" in the future -- much better technique is to use driver-controlled fast GPU blits: data doesn't leave GPU. Non-timesharing is non-issue -- driver can detect timeouts and reset hardware (TDR on Vista).

So the only issue is polymorphic virus that may use GPGPU decryption. If this happens, scanners will start using CUDA, or GPU virtualization.

And why not - it's a time-honored tradition to make code run anywhere you can. Those who owned C64s (especially those who read Transactor) will recall that for a while there, programming the 1541 floppy-drive CPU was just about as cool as could be.

Nowadays systems are so complex, and tools to study them / keep an eye on them are so relatively clueless, there could be^H^H^H^H^H^H^H^H are dozens of things going on in our PCs that we are blissfully unaware of. Very unfortunate... making things simple enoug